Apparently, if the pdf file has a "CR" somewhere in the path & file name (like crap.pdf), and protected mode is turned off, it throws a cryptic error about the user needing to accept the EULA for Adobe Acrobat (remember, this is when launching Reader, not Acrobat).

The fix is apparently to create a key for Adobe Acrobat and add a DWORD to accept the EULA.

Drove me nuts.. Not sure how this could have possibly managed to programmed in there... code that operates differently, depending on the file name, is a little weird if you ask me..

These are the same people who can't release quarterly patches you can apply via msp over a security patch without rolling back to the last quarterly release first.

If you let it do the updates itself it works, and is completely useless if you don't allow your users to download. You can't send the 9.45 patch file to a 9.44 install for example.

Oh, and they also never update their ESD packages to the latest revision.

IIRC, I think someone in this thread noted that with (at least) one of their patches, they forgot to increment the version number, and apparently never fixed that patch. They just 'corrected' it in subsequent patches, though you still have to have the broken one in place.

I'm posting in this thread because I'm guessing I've been moderately hijacked through a Flash vulnerability - can't prove it, but it seems to fit the symptoms. I've been running the latest version (10.3.181.34), and I only use Firefox. This is on XP Home. I just ran a MBAM quick scan, which found nothing of consequence. AVG Free has been running continuously and is up to date, but I haven't run any scans.

I'm guessing (and hoping) that this will go away with some combination of a reboot, clearing caches, reinstalling Adobe Flash, maybe even just killing plugin-container.exe and letting it restart, but I wanted to document it before doing anything which would remove evidence.

Here's what's going on:I'm getting an extra Start Menu icon. It's in the default lower left corner, and the coloring is different from default, so it's easy to spot as a fake. (I keep my button in the upper left.) I've only seen it once apart from a necessary correlation with Flash:

The other times, it was as soon as I went into fullscreen with a Flash movie. (This happened on multiple reputable sites.) It goes away as soon as you exit full screen:

I've seen the button with that black and yellow coloring before - I think it was on a BartPE LiveCD. Not sure if it's an official alternative logo or if its just made up to be a little different.

Please: don't pollute this thread with out-of-topic issues. Create your own thread if you have a question or want to open a discussion on something but this one is for discussing (and cursing about) vulnerabilities in Adobe's products (mostly flash and Acrobat).

Please: don't pollute this thread with out-of-topic issues. Create your own thread if you have a question or want to open a discussion on something but this one is for discussing (and cursing about) vulnerabilities in Adobe's products (mostly flash and Acrobat).

I explained in my post why I thought this was related to a Flash vulnerability. Are you saying this thread is only for known/published/verified vulnerabilities, or perhaps only for vulnerabilities in the abstract rather than actual events?

Firstly, this is clearly related to Flash in that it had a reproducible component to it triggered by use of Flash, and was reproducible under varying conditions in which Flash was the one thing they had in common (I reproduced this on three respected and totally unrelated sites, and I reproduced it on both Firefox and Opera.)

Secondly, the nature of the aberration/bug is inconsistent with a non-malicious bug like graphics redraw mistakes, since a) the image used was not one that has appeared on my screen in any legitimate way, and b) its placement was consistently in the exact position of the screen which would best fool an average user into thinking it was the real thing (not random), and c) the issue was reproducible after killing and restarting associated processes.Ergo, the aberration is much more consistent with an attack than a simple bug.

Still reproducible after killing and restarting plugin-container.exeStill reproducible after clearing Flash cache and settingsReproducible in another browser (Opera).Could not reproduce after system restart.

As I said in my initial post, I suspected this aberration would disappear without doing much to actively rid myself of it. I never claimed it to be a severe system-wide security breach. However, I still maintain that the nature of the symptoms points directly to a purposeful attack through a vulnerability of Adobe Flash. If the Flash screen output (as seen by the user) of any arbitrary site can be changed or replaced through means unplanned/unknown to the user, the possibility of security issues is immanent - just use your imagination.

If you can document an actual Flash exploit that's one thing, but all you're doing is conjecture. So yeah, it's not on topic for this thread at all, in as much as anyone can drive a thread's topic here.

If you think there might be a previously unknown 0-day Flash exploit running in the wild, post an URL to the Flash object here. For anything else, start a new thread. It could be a multi-pronged JS attack or any of a handful of other things.

Just a question: do you delete the old package or do you have to keep them to make sure they are uninstalled and upgraded ?

I pretty much ignore it completely.

In local update publisher I just set the new one to superseed the previous version. All have been 10.3.x.y so far. I don't know how it will work going to, say 10.4.x.y or to 11.x.y.z We'll just have to see. I did initially have problems, mostly caused by previous efforts at pushing flash out via Group policy. It left some bad keys in HKEY_CLASSES_ROOT\Installer\Products (one for each of the IE and the plugin versions). Just had to find & delete the key and it installed perfectly well. I had one site with about 40 affected computers, so a group policy preference reg key delete took care of that.

In approximately 20 hours 220 (or 1/3) of my Windows clients now have the latest version of Flash. The previous flash version ended up at 92% installed. Which I'm very happy with. I'll never hit 100%, but 90% is very good.

I really like Local Update Publisher to inject Flash updates into WSUS.

Yeah, I know, and it's not as good as Reader. More secure, sure, but I'd rather they'd bundle Reader so that I can benefit from their security work for a product I still have to have for when the Chrome PDF Reader isn't enough.

I'd always suggest linking to the adobe download site rather than a 3rd party one. There's too much risk downloading a potentially tampered with app installer for things like flash from other sites, and in adobe's case there's no need, it's not a hard to get file.

Interestingly, Google don't have an updated version of Chrome available yet with the latest flash player. Typically they beat Adobe by a day or so.

Looks like it's legit. The about page lists 10.3.183.7 as the current version. However, it's not a security update, just a compatibility update. I'll put it in our Task Sequence for new builds, but I don't think I'll roll out the new version just yet. It is good that they fixed the MSI so it puts the control panel applet back. It's quite useful for our support teams.

Word is the new Flash Player is to help Adobe better compete in the new HTML 5 world of mobile browsers. Dunno, just reporting what I read. Let's hope it is more secure. Also, let's hope that Superman is still around to help with the world's problems.

Yeah, but that one's not out until October. What ever this weeks exploit is is seemingly bad enough to require another update for 10.3.

Apparently, the new version 10.3.183.10 is available on the distribution site and prompting folks, but they haven't updated the security page yet to say what it fixes. To me it means the list is quite long, or the exploit is bad enough that they were more concerned about getting the fix out first. Neither option is reassuring.

I'm importing the new MSI's into my SMS and SCCM servers now. I think I can do that in my sleep at this point...

I think one of the reasons for wanting to go 64-bit is the belief that there's more entropy in ASLR (I might be getting the terms wrong), but discussions on this board and repostings of stuff from Mark Russinovich seem to suggest that isn't the case.

Well, I downloaded the 64/32-bit combo version and installed it. Control Panel says "Adobe Flash Player 11 Plugin 64-bit" is installed, and it's working, even though I use 32-bit Firefox. Maybe it switches modes on the fly depending on the browser using it?

Correct. The 64-bit browser uses the 64-bit Adobe plugin and the 32-bit browser the 32-bit browser plugin. I only install the 32-bit on purpose, so that if I wanna surf the w3 without flash I can do so with the 64-bit browser.

I think one of the reasons for wanting to go 64-bit is the belief that there's more entropy in ASLR (I might be getting the terms wrong), but discussions on this board and repostings of stuff from Mark Russinovich seem to suggest that isn't the case.

A larger address space is better for ASLR, because it makes heap spraying (one possible way to bypass ASLR) more difficult.

ASLR isn't the end of all malware, although it is pretty effective right now. ASLR (along with DEP) is pretty effective right now because malware generally isn't written to bypass it-- people tend to target systems where one or both aren't present, because it's easier to compromise those machines. Neither is bulletproof, though (even together)-- both can be bypassed with the correct techniques. See http://blogs.technet.com/b/srd/archive/ ... -aslr.aspx